User Account

All Pages

Security requirements should be added to policy statements

Assignment Help Basic Computer Science
Reference no: EM13922434

The following is an extract from a corporate security policy:

Logon Procedures:

It is the responsibility of service providers, system administrators, and application developers to implement logon procedures that minimize opportunities for unauthorized access. Threshold and time periods are to be defined by the Trustee.

Logon procedures should be enabled that disclose the minimum information about the system, application, or service to avoid providing an unauthorized user with unnecessary assistance.

Logon procedures should:

  •  Not display system or application identifiers until the logon process has been successfully completed.

  •  Not disclose/display to the screen the password entered during logon.

  •  Display a specific warning that the system and/or application should only be accessed by authorized users.

  •  Not provide help messages during the logon procedure that would aid an unauthorized user.

  •  Internet-based systems must only request authentication credentials via HTTP POST method using encryption, such as TLS.

  •  Validate the logon information only upon completion of all input credentials. If an error condition arises, the system should not indicate which part of the authentication credentials is correct and which part is incorrect.

  •  Limit the number of unsuccessful logon attempts allowed before an access denial action is taken. Three attempts are recommended and in no circumstances should more than six attempts be allowed.

  •  Establish thresholds for the maximum number of denial actions within a given period before further unsuccessful logon attempts are considered a security-relevant event. Six attempts by the same logon ID or requesting device in a 24 hour period should be set as an upper threshold. Exceeding thresholds should cause one or more of the following:

  •  The authentication device is suspended or rendered inoperable until reset.

  •  The authentication device's effectiveness is suspended for a specified time period.

  •  Logging of the invalid attempts and/or a real time alert is generated.

  •  A time delay is forced before further access attempts are allowed.

  •  Limit the maximum time period allowed for the logon procedure. 20 seconds is recommended, however 30 to 40 seconds may be required for two-factor authentication.

  •  Disconnect and give no assistance after a rejected attempt to logon.

  •  Display the following information upon completion of a successful logon:

  •  Date and time of the previous successful logon.

  •  Details of any unsuccessful logon attempts since the last successful logon.

The following is an extract from a detailed set of corporate security requirements (list 2):

2.2.2          OS Logon Authentication

2.2.2.1       OS Logon Identifiers

D-SEC-120     Logon identifiers for the execution environment (e.g. operating system) shall be required for system access.

D-SEC-121     Logon functions shall require a non-blank (i.e. not NULL) user identifier for logon.

D-SEC-122     Any default identifiers shall be capable of being deleted.

D-SEC-123     Logon Identifiers shall have a minimum length of six characters containing a mix of alphabetic and numeric symbols.

D-SEC-124     Logon identifiers shall be stored in a non-volatile manner.

2.2.2.2          OS Logon Passwords

D-SEC-125     Logon Passwords shall be required for system and service access.

D-SEC-126     Logon passwords shall not be disclosed/displayed to screen, when entered during logon.

D-SEC-127     Logon password lengths shall not be disclosed/displayed to screen, when entered during logon.

D-SEC-128     Logon functions shall require a non-blank (i.e. not NULL) user password for logon.

D-SEC-129     Any default passwords shall be capable of being deleted.

D-SEC-130     Logon passwords shall have a minimum length of six characters, containing a mix of alphabetic and numeric symbols with special characters allowed.

D-SEC-131     Logon passwords shall be stored in a non-volatile manner.

D-SEC-132     Logon passwords shall be stored in hashed form only.

D-SEC-133     Logon password storage shall use the SHA1 hash algorithm at a minimum.

D-SEC-134     Logon password storage shall use the SHA-256 hash algorithm as an alternative to the SHA-1 hash algorithm.

D-SEC-135     Logon identifier verification shall use a token method as an alternative to passwords.

D-SEC-136     Logon identifier verification shall use a biometric method as an alternative to passwords.

D-SEC-137     An age threshold shall be definable for all logon passwords.

D-SEC-138     Logon passwords shall be voided when the password has exceeded the password age threshold.

D-SEC-139     The age threshold for logon passwords shall be capable of being disabled.

D-SEC-140     The minimum age threshold for logon passwords shall be 30 days.

D-SEC-141     The maximum age threshold for logon passwords shall be 999 days.

2.2.2.3            OS Logon Function (Process)

D-SEC-142     Logon functions (processes) shall support password age checking.

D-SEC-143     Logon functions shall support a settable threshold of tries a user will be given to enter a valid logon ID and password combination.

D-SEC-144     Logon functions shall support disabling the threshold of tries a user will be given to enter a valid logon ID and password combination.

D-SEC-145     The minimum threshold of tries a user will be given to enter a valid logon/password combination shall be 1 attempt.

D-SEC-146     The maximum threshold of tries a user will be given to enter a valid logon/password combination shall be 15 attempts.

D-SEC-147     Logon functions shall lock out the keyboard when the threshold for unauthorized/invalid attempts is exceeded.

D-SEC-148     Logon functions shall support a settable time interval between 1 minute and 360 minutes that controls the period of keyboard lockout following the user failure to enter a correct logon/password combination within the allocated number of attempts.

Question: Identify 5 detailed security requirements that should be added to list 2 based upon policy statements in list 1 that are NOT covered by entries already present in list 2. Be sure to identify the policy statements in list 1, then add five new requirements to list 2 based upon those policy statements.

Question: Identify 5 policy statements that should be added to list 1 based upon detailed security requirements in list 2 that are NOT covered by policy statements already present in list 1. Be sure to identify the requirements in list 2, then add five new policy statements to list 1 based upon those requirements.

Reference no: EM13922434

Questions Cloud

Profit-maximizing monopolist : 1). The DeBeers company is a profit-maximizing monopolist that exercises monopoly power in the distribution of diamonds. If the company earns positive economic profits this year, the price of diamonds will:
Is the objective of tax planning always to minimize taxes? : Higher-income taxpayers tend to engage in tax planning more than do lower-income taxpayers.
Used to study cognitive psychology : Create a 10- to 15-slide Microsoft® PowerPoint® presentation lecture for your class in which you address the following: Describe the history of cognitive psychology. Explain how and why psychometric studies are used to study cognitive psychology.
Compute the total cost of your plan : Compute the total cost of your plan, and compare it to the total cost of the plan used in the solved problem. Assume 20 full-time workers.
Security requirements should be added to policy statements : Identify 5 detailed security requirements that should be added to list 2 based upon policy statements in list 1 that are NOT covered by entries already present in list 2.
Sales management is the core activity of the marketing : Sales management is the core activity of the marketing. Critically analyze the significance of this statement.
Internet significantly influenced business : Porter's Five Forces. The internet significantly influenced business and strategic planning. In your opinion, according to Porter's Five Forces Model, has competition increased or decreased overall as a result of the Internet and e-commerce? Justi..
Government university that engages in only business : Discuss the financial statements that must be presented by a government university that engages in only business-type activities.
What is the ethical dilemma here : What is the ethical dilemma here and describe the decision-making model you selected from your readings.

Reviews

Write a Review

Basic Computer Science Questions & Answers

  Analyze the class performances

Design a data warehouse for a university's gradebook data to analyze the class performances. Suppose the data warehouse  consisting of the following dimensions: department, semester, course, student, instructor, and gradebook; and a set of measures y..

  Create a data file in the specified format

Create a data file in the specified format. Write a script that would read from the file floatnums.dat into a matrix, round the numbers, and write the matrix in the desired format to a new file called "intnums.dat."

  What are the advantages of flash memory

What are the advantages of flash memory over hard disk storage? What are the advantages of hard disk over flash memory storage

  Should digital dynamics use separate portals for employees

How could the concept of supply chain management apply to a company's service- based division? Provide some specific suggestions.

  As you educate the security staff on cryptographic concepts

As you educate the security staff on cryptographic concepts, you also will soon make recommendations on the tools that will be appropriate for this company. You will address the topic of digital signatures with the staff. Present the concepts of digi..

  Write java program convert sorted array into balanced tree

Balanced Search Tree Write a program (in Java) that can convert a sorted array into a balanced binary search tree. For this project, a balanced binary tree is one where the size of the left and right subtrees at each node differs by at most one.

  Define the internet as part of a business solution

Assess the probable difficulties and risks associated with using a public infrastructure such as the Internet as part of a business solution.

  Discusses network design element

Write a 1-page summary that discusses network design elements such as Cloud and Virtualization that can be security risks and how they can be applied to your future IT career.

  Requires a decision maker to consider the impact of each

Which of the following, by definition, requires a decision maker to consider the impact ofeach alternative course of action on the entire organization because a decision made in one area  may have significant effects in other areas?

  How is data reported by exif viewer

How is data reported by EXIF Viewer

  How would you communicate the design of method to developer

How would you communicate the design of method to a developer that must implement a complex algorithm and ensure that they implement correctly when provided good inputs as well as handle bad input and no input scenarios?

  Discuss two templates of microsoft office

Microsoft Office software has a variety of templates for common tasks many individuals use on a daily basis. Go to Excel, PowerPoint, or Access and view at least six templates. You may search online if you already are familiar with all of the temp..

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd